PDA

View Full Version : Plz help me removing virus from my laptop



deepak4490
2009-07-14, 00:08
I had AVG installed on my laptop and from 2-3 days it is saying that system infected with Crypto, Downadup and Asxs Worm. AVG moving them to vault but again after some time its saying that the system is infected.
Now i removed AVG and installed Avast antivirus - its not detecting anything. But am sure my system is infected coz the internet is very slow.

Here's the HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:04 AM, on 7/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: 24Online Client.lnk = C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F294541A-6EC8-4BEA-B87A-373231CFEAA6}: NameServer = 202.88.149.25,202.88.149.6
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 3647 bytes

Somebody plz help me, its very urgent.
Otherwise i have to loose all my data if i format my system.


[I]Edit: Please don't add posts to your topic until a helper responds. ;)
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)

Blade81
2009-07-15, 19:22
Hi there,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

deepak4490
2009-07-16, 12:48
Here's the log file for DDS

DDS (Ver_09-06-26.01) - NTFSx86
Run by Deepak at 15:15:10.95 on Thu 07/16/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1617 [GMT 5.5:30]

AV: avast! antivirus 4.8.1335 [VPS 090716-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Deepak\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\24onli~1.lnk - c:\program files\elitecore\cyberoam client for 24online\CyberoamClient.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.88.149.25,202.88.149.6
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deepak\applic~1\mozilla\firefox\profiles\mj97nr66.default\

============= SERVICES / DRIVERS ===============

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-5-27 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-12 138680]
S2 ltgedt;Microsoft Network;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 piifysrtm;System Security;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\deepak\locals~1\temp\alsysio.sys --> c:\docume~1\deepak\locals~1\temp\ALSysIO.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-12 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-12 352920]

=============== Created Last 30 ================

2009-07-14 02:37 <DIR> --d----- c:\program files\Trend Micro
2009-07-12 15:22 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-12 15:22 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-12 15:22 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-12 01:20 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-12 01:19 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-07-12 01:19 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-07-12 01:19 74,240 ac------ c:\windows\system32\dllcache\usbui.dll
2009-07-12 01:19 74,240 a------- c:\windows\system32\usbui.dll
2009-07-12 01:18 9,344 a------- c:\windows\system32\drivers\compbatt.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\battc.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\CmBatt.sys
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\ODBC
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-12 01:17 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-07-12 01:16 <DIR> --d----- C:\Documents and Settings
2009-07-12 01:15 261 a------- c:\windows\system32\$winnt$.inf
2009-07-12 01:12 <DIR> --d----- c:\program files\RomanWare
2009-07-12 00:56 <DIR> --d----- c:\program files\AVG
2009-07-11 23:22 <DIR> --ds---- c:\documents and settings\deepak\UserData
2009-07-11 23:19 <DIR> --d----- c:\program files\Synaptics
2009-07-11 23:09 <DIR> --d----- c:\program files\PaqTool
2009-07-11 23:05 <DIR> --d----- c:\program files\eLitecore
2009-07-11 22:58 <DIR> --d----- c:\docume~1\deepak\applic~1\Intel
2009-07-11 19:58 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-11 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-11 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-11 19:55 <DIR> --d----- c:\program files\Online Services
2009-07-11 19:55 <DIR> --d----- c:\program files\Messenger
2009-07-11 19:55 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-11 19:54 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-12 20:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-11 23:09 4,100 a------- c:\windows\system32\hdvirffo.dll
2009-07-11 22:57 356,352 a------- c:\windows\system32\AegisI5Installer.exe
2009-07-11 22:57 21,393 a------- c:\windows\system32\drivers\AegisP.sys
2009-07-11 22:57 21,393 a------- c:\windows\AegisP.sys
2009-07-11 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 15:15:22.95 ===============


Here's the log file for Attach

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/11/2009 8:00:52 PM
System Uptime: 7/16/2009 12:03:31 PM (3 hours ago)

Motherboard: Siemens AG | | A5E00860612
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | CPU | 1184/800mhz
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | CPU | 2194/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 39 GiB total, 34.995 GiB free.
D: is FIXED (NTFS) - 49 GiB total, 47.566 GiB free.
E: is FIXED (NTFS) - 61 GiB total, 61.088 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_10573055&REV_1007\4&22A8E352&0&0101
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_10573055&REV_1007\4&22A8E352&0&0101
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Network Controller
Device ID: PCI\VEN_110A&DEV_3141&SUBSYS_000110B5&REV_02\4&3B3A03B5&0&50F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_110A&DEV_3141&SUBSYS_000110B5&REV_02\4&3B3A03B5&0&50F0
Service:

==== System Restore Points ===================

RP1: 7/12/2009 11:38:45 PM - System Checkpoint
RP2: 7/13/2009 12:19:31 AM - Avg8 Update
RP3: 7/14/2009 2:17:08 AM - System Checkpoint
RP4: 7/14/2009 2:27:07 AM - Removed AVG 8.5
RP5: 7/15/2009 2:45:49 AM - System Checkpoint
RP6: 7/16/2009 7:46:29 AM - System Checkpoint

==== Installed Programs ======================

A-Mac Address Change 5.4
avast! Antivirus
Cole2k Media - Codec Pack (Advanced) 7.6.0
Cyberoam Client for 24Online
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.2.41.0
Intel(R) PROSet/Wireless Software
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.11)
mPfMgr
mPfWiz
mProSafe
mSCfg
MSXML 6.0 Parser
mWlsSafe
mZConfig
Synaptics Pointing Device Driver
VBRunALL
WebFldrs XP
WinRAR archiver

==== Event Viewer Messages From Past Week ========

7/15/2009 8:25:43 AM, error: BROWSER [8009] - The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is SAI-B2761CE3D5D.
7/14/2009 9:36:22 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer HDSH-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B. The master browser is stopping or an election is being forced.
7/14/2009 4:22:47 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ADMIN that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B87. The master browser is stopping or an election is being forced.
7/13/2009 9:55:57 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
7/13/2009 9:39:42 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer GURPREET that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-. The master browser is stopping or an election is being forced.
7/13/2009 8:34:31 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer JASHWANT that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-. The master browser is stopping or an election is being forced.
7/13/2009 7:41:28 AM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 10.1.249.18. The machine with the IP address 10.1.249.182 did not allow the name to be claimed by this machine.
7/13/2009 7:30:06 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer KUSHAL that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B8. The master browser is stopping or an election is being forced.
7/13/2009 4:17:31 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SONY-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B. The master browser is stopping or an election is being forced.
7/13/2009 3:25:50 PM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 10.1.249.18. The machine with the IP address 10.1.249.144 did not allow the name to be claimed by this machine.
7/13/2009 11:20:38 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer HP-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B87. The master browser is stopping or an election is being forced.
7/13/2009 10:19:09 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SURBIR-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA. The master browser is stopping or an election is being forced.
7/13/2009 1:59:20 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer LENOVO-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA. The master browser is stopping or an election is being forced.
7/12/2009 6:34:25 PM, error: Service Control Manager [7023] - The System Security service terminated with the following error: The specified procedure could not be found.
7/12/2009 6:23:11 PM, error: Service Control Manager [7023] - The System Security service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
7/12/2009 4:14:49 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SAIBABA-6762BA0 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC. The master browser is stopping or an election is being forced.
7/12/2009 11:38:43 PM, error: Service Control Manager [7023] - The System Security service terminated with the following error: The specified module could not be found.
7/12/2009 11:38:43 PM, error: Service Control Manager [7023] - The Microsoft Network service terminated with the following error: The specified module could not be found.
7/12/2009 10:55:03 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer AAA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B8. The master browser is stopping or an election is being forced.
7/11/2009 11:11:37 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/11/2009 11:01:50 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
7/11/2009 11:01:50 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\C2MP\npdivx32.dll. Reference error message: The operation completed successfully. .
7/11/2009 11:01:50 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

==== End Of File ===========================

Blade81
2009-07-16, 17:43
Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

deepak4490
2009-07-16, 22:24
Combofix Log File

ComboFix 09-07-14.08 - Deepak 07/17/2009 0:47.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1675 [GMT 5.5:30]
Running from: c:\documents and settings\Deepak\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090716-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-16 16:38 . 2009-07-16 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-16 16:35 . 2009-07-16 16:36 -------- d-----w- c:\program files\Yahoo!
2009-07-13 21:07 . 2009-07-13 21:07 -------- d-----w- c:\program files\Trend Micro
2009-07-12 12:59 . 2009-07-12 12:59 1078 ----a-r- c:\documents and settings\Deepak\Application Data\Microsoft\Installer\{30BA50ED-0F32-421B-BC6A-132A03EFF299}\ARPPRODUCTICON.exe
2009-07-12 10:08 . 2009-07-12 10:08 12328 ----a-w- c:\documents and settings\Deepak\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 09:53 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-12 09:53 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-12 09:53 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-12 09:52 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-12 09:52 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-12 09:52 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-12 09:52 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-12 09:52 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-12 09:52 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-12 09:52 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-12 09:52 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-12 09:52 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-12 09:52 . 2009-07-12 09:52 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 15:24 . 2009-07-11 14:28 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-11 19:42 . 2009-07-11 19:42 -------- d-----w- c:\program files\RomanWare
2009-07-11 19:28 . 2009-07-11 19:28 0 ----a-w- c:\windows\nsreg.dat
2009-07-11 19:26 . 2009-07-11 19:26 -------- d-----w- c:\program files\AVG
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Synaptics
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-11 17:39 . 2009-07-11 17:39 4100 ----a-w- c:\windows\system32\hdvirffo.dll
2009-07-11 17:39 . 2009-07-11 17:39 -------- d-----w- c:\program files\PaqTool
2009-07-11 17:35 . 2009-07-11 17:35 -------- d-----w- c:\program files\eLitecore
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Deepak\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:27 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:20 -------- d-----w- c:\program files\Intel
2009-07-11 14:29 . 2009-07-11 14:29 -------- d-----w- c:\program files\microsoft frontpage
2009-07-11 14:25 . 2009-07-11 14:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-15 12:14 . 2009-07-11 19:28 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-10 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-10 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
24Online Client.lnk - c:\program files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2004-5-31 249856]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2652:TCP"= 2652:TCP:exsjt

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [5/27/2004 6:51 PM 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/12/2009 3:22 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/12/2009 3:22 PM 20560]
S2 ltgedt;Microsoft Network;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:26 AM 14336]
S2 piifysrtm;System Security;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:26 AM 14336]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
piifysrtm
ltgedt
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.88.149.25,202.88.149.6
FF - ProfilePath - c:\documents and settings\Deepak\Application Data\Mozilla\Firefox\Profiles\mj97nr66.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-17 00:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ltgedt]
"ServiceDll"="c:\program files\Internet Explorer\oauhyn.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\piifysrtm]
"ServiceDll"="c:\windows\system32\oauhyn.dll"
.
Completion time: 2009-07-16 0:49
ComboFix-quarantined-files.txt 2009-07-16 19:19

Pre-Run: 37,455,081,472 bytes free
Post-Run: 37,481,230,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

123


DDS Log File

DDS (Ver_09-06-26.01) - NTFSx86
Run by Deepak at 0:53:36.89 on Fri 07/17/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1594 [GMT 5.5:30]

AV: avast! antivirus 4.8.1335 [VPS 090716-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Deepak\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
mURLSearchHooks: H - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\24onli~1.lnk - c:\program files\elitecore\cyberoam client for 24online\CyberoamClient.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.88.149.25,202.88.149.6
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deepak\applic~1\mozilla\firefox\profiles\mj97nr66.default\

============= SERVICES / DRIVERS ===============

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-5-27 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-12 138680]
S2 ltgedt;Microsoft Network;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 piifysrtm;System Security;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\deepak\locals~1\temp\alsysio.sys --> c:\docume~1\deepak\locals~1\temp\ALSysIO.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-12 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-12 352920]

=============== Created Last 30 ================

2009-07-17 00:49 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-17 00:47 <DIR> a-dshr-- C:\cmdcons
2009-07-17 00:40 219,648 a------- c:\windows\PEV.exe
2009-07-17 00:40 161,792 a------- c:\windows\SWREG.exe
2009-07-17 00:40 98,816 a------- c:\windows\sed.exe
2009-07-16 22:05 <DIR> --d----- c:\program files\Yahoo!
2009-07-14 02:37 <DIR> --d----- c:\program files\Trend Micro
2009-07-12 15:22 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-12 15:22 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-12 15:22 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-12 01:20 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-12 01:19 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-07-12 01:19 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-07-12 01:19 74,240 ac------ c:\windows\system32\dllcache\usbui.dll
2009-07-12 01:19 74,240 a------- c:\windows\system32\usbui.dll
2009-07-12 01:18 9,344 a------- c:\windows\system32\drivers\compbatt.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\battc.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\CmBatt.sys
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\ODBC
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-12 01:17 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-07-12 01:16 <DIR> --d----- C:\Documents and Settings
2009-07-12 01:15 261 a------- c:\windows\system32\$winnt$.inf
2009-07-12 01:12 <DIR> --d----- c:\program files\RomanWare
2009-07-12 00:56 <DIR> --d----- c:\program files\AVG
2009-07-11 23:22 <DIR> --ds---- c:\documents and settings\deepak\UserData
2009-07-11 23:19 <DIR> --d----- c:\program files\Synaptics
2009-07-11 23:09 <DIR> --d----- c:\program files\PaqTool
2009-07-11 23:05 <DIR> --d----- c:\program files\eLitecore
2009-07-11 22:58 <DIR> --d----- c:\docume~1\deepak\applic~1\Intel
2009-07-11 19:58 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-11 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-11 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-11 19:55 <DIR> --d----- c:\program files\Online Services
2009-07-11 19:55 <DIR> --d----- c:\program files\Messenger
2009-07-11 19:55 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-11 19:54 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-12 20:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-11 23:09 4,100 a------- c:\windows\system32\hdvirffo.dll
2009-07-11 22:57 356,352 a------- c:\windows\system32\AegisI5Installer.exe
2009-07-11 22:57 21,393 a------- c:\windows\system32\drivers\AegisP.sys
2009-07-11 22:57 21,393 a------- c:\windows\AegisP.sys
2009-07-11 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 0:53:43.57 ===============

Attach Log File

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/11/2009 8:00:52 PM
System Uptime: 7/17/2009 12:16:33 AM (0 hours ago)

Motherboard: Siemens AG | | A5E00860612
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | CPU | 1184/800mhz
Processor: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz | CPU | 2194/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 39 GiB total, 34.922 GiB free.
D: is FIXED (NTFS) - 49 GiB total, 47.556 GiB free.
E: is FIXED (NTFS) - 61 GiB total, 61.086 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: Modem Device on High Definition Audio Bus
Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_10573055&REV_1007\4&22A8E352&0&0101
Manufacturer:
Name: Modem Device on High Definition Audio Bus
PNP Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_10573055&REV_1007\4&22A8E352&0&0101
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Network Controller
Device ID: PCI\VEN_110A&DEV_3141&SUBSYS_000110B5&REV_02\4&3B3A03B5&0&50F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_110A&DEV_3141&SUBSYS_000110B5&REV_02\4&3B3A03B5&0&50F0
Service:

==== System Restore Points ===================

RP1: 7/12/2009 11:38:45 PM - System Checkpoint
RP2: 7/13/2009 12:19:31 AM - Avg8 Update
RP3: 7/14/2009 2:17:08 AM - System Checkpoint
RP4: 7/14/2009 2:27:07 AM - Removed AVG 8.5
RP5: 7/15/2009 2:45:49 AM - System Checkpoint
RP6: 7/16/2009 7:46:29 AM - System Checkpoint
RP7: 7/16/2009 7:57:53 PM - Installed Windows XP KB888111WXPSP2.

==== Installed Programs ======================

A-Mac Address Change 5.4
avast! Antivirus
Cole2k Media - Codec Pack (Advanced) 7.6.0
Cyberoam Client for 24Online
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections 12.2.41.0
Intel(R) PROSet/Wireless Software
mCore
mDriver
mDrWiFi
mHelp
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Mozilla Firefox (3.0.11)
mPfMgr
mPfWiz
mProSafe
mSCfg
MSXML 6.0 Parser
mWlsSafe
mZConfig
Synaptics Pointing Device Driver
VBRunALL
WebFldrs XP
WinRAR archiver
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

7/17/2009 12:47:43 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
7/17/2009 12:15:18 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
7/16/2009 6:57:17 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
7/16/2009 3:40:02 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/15/2009 8:25:43 AM, error: BROWSER [8009] - The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is SAI-B2761CE3D5D.
7/14/2009 9:36:22 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer HDSH-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B. The master browser is stopping or an election is being forced.
7/14/2009 4:22:47 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ADMIN that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B87. The master browser is stopping or an election is being forced.
7/13/2009 9:55:57 AM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
7/13/2009 9:39:42 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer GURPREET that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-. The master browser is stopping or an election is being forced.
7/13/2009 8:35:28 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer LENOVO-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA. The master browser is stopping or an election is being forced.
7/13/2009 8:34:31 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer JASHWANT that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-. The master browser is stopping or an election is being forced.
7/13/2009 7:46:38 AM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 10.1.249.18. The machine with the IP address 10.1.249.182 did not allow the name to be claimed by this machine.
7/13/2009 7:30:06 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer KUSHAL that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B8. The master browser is stopping or an election is being forced.
7/13/2009 4:17:31 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SONY-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B. The master browser is stopping or an election is being forced.
7/13/2009 3:25:50 PM, error: NetBT [4321] - The name "WORKGROUP :1d" could not be registered on the Interface with IP address 10.1.249.18. The machine with the IP address 10.1.249.144 did not allow the name to be claimed by this machine.
7/13/2009 11:35:28 AM, error: Service Control Manager [7023] - The System Security service terminated with the following error: The specified module could not be found.
7/13/2009 11:35:28 AM, error: Service Control Manager [7023] - The Microsoft Network service terminated with the following error: The specified module could not be found.
7/13/2009 11:20:38 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer HP-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B87. The master browser is stopping or an election is being forced.
7/13/2009 10:19:09 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SURBIR-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA. The master browser is stopping or an election is being forced.
7/12/2009 6:34:25 PM, error: Service Control Manager [7023] - The System Security service terminated with the following error: The specified procedure could not be found.
7/12/2009 6:23:11 PM, error: Service Control Manager [7023] - The System Security service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
7/12/2009 4:14:49 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer SAIBABA-6762BA0 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC. The master browser is stopping or an election is being forced.
7/12/2009 10:55:03 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer AAA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{F294541A-6EC8-4BEA-B8. The master browser is stopping or an election is being forced.
7/11/2009 11:11:37 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/11/2009 11:01:50 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.CRT. Reference error message: The referenced assembly is not installed on your system. .
7/11/2009 11:01:50 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\C2MP\npdivx32.dll. Reference error message: The operation completed successfully. .
7/11/2009 11:01:50 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

==== End Of File ===========================

Blade81
2009-07-17, 09:43
Hi again,

To what do you need this: A-Mac Address Change 5.4? MAC addresses shouldn't be played with.

Open notepad and copy/paste the text in the quotebox below into it:



Driver::
ltgedt
piifysrtm

File::
c:\program files\Internet Explorer\oauhyn.dll
c:\windows\system32\oauhyn.dll

NetSvc::
piifysrtm
ltgedt

DDS::
uStart Page = about:blank
mURLSearchHooks: H - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2652:TCP"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Download the latest version of Kaspersky Virus Removal Tool (ftp://downloads2.kaspersky-labs.com/devbuilds/AVPTool)

* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.


Post also a fresh dds.txt log and above mentioned ComboFix resultant log.

deepak4490
2009-07-19, 10:35
I did change my MAC coz my ISP doesnt allow us to use internet on different PC's.

Now my Avast antivirus is detecting Win32:confi[wrm]

Combofix Log

ComboFix 09-07-14.08 - Deepak 07/19/2009 11:36.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1671 [GMT 5.5:30]
Running from: c:\documents and settings\Deepak\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Deepak\Desktop\CFScript.txt.txt
AV: avast! antivirus 4.8.1335 [VPS 090719-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\Internet Explorer\oauhyn.dll"
"c:\windows\system32\oauhyn.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LTGEDT
-------\Legacy_PIIFYSRTM
-------\Service_ltgedt
-------\Service_piifysrtm


((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-16 16:38 . 2009-07-16 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-16 16:35 . 2009-07-16 16:36 -------- d-----w- c:\program files\Yahoo!
2009-07-13 21:07 . 2009-07-13 21:07 -------- d-----w- c:\program files\Trend Micro
2009-07-12 12:59 . 2009-07-12 12:59 1078 ----a-r- c:\documents and settings\Deepak\Application Data\Microsoft\Installer\{30BA50ED-0F32-421B-BC6A-132A03EFF299}\ARPPRODUCTICON.exe
2009-07-12 10:08 . 2009-07-12 10:08 12328 ----a-w- c:\documents and settings\Deepak\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 09:53 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-12 09:53 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-12 09:53 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-12 09:52 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-12 09:52 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-12 09:52 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-12 09:52 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-12 09:52 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-12 09:52 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-12 09:52 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-12 09:52 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-12 09:52 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-12 09:52 . 2009-07-12 09:52 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-12 15:24 . 2009-07-11 14:28 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-11 19:42 . 2009-07-11 19:42 -------- d-----w- c:\program files\RomanWare
2009-07-11 19:28 . 2009-07-11 19:28 0 ----a-w- c:\windows\nsreg.dat
2009-07-11 19:26 . 2009-07-11 19:26 -------- d-----w- c:\program files\AVG
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Synaptics
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-11 17:39 . 2009-07-11 17:39 4100 ----a-w- c:\windows\system32\hdvirffo.dll
2009-07-11 17:39 . 2009-07-11 17:39 -------- d-----w- c:\program files\PaqTool
2009-07-11 17:35 . 2009-07-11 17:35 -------- d-----w- c:\program files\eLitecore
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Deepak\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:27 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:20 -------- d-----w- c:\program files\Intel
2009-07-11 14:29 . 2009-07-11 14:29 -------- d-----w- c:\program files\microsoft frontpage
2009-07-11 14:25 . 2009-07-11 14:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-15 12:14 . 2009-07-11 19:28 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-16_19.19.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-19 06:09 . 2009-07-19 06:09 16384 c:\windows\Temp\Perflib_Perfdata_6d8.dat
+ 2009-07-19 05:30 . 2009-07-19 05:30 16384 c:\windows\Temp\Perflib_Perfdata_6d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-10 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-10 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
24Online Client.lnk - c:\program files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2004-5-31 249856]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [5/27/2004 6:51 PM 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/12/2009 3:22 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/12/2009 3:22 PM 20560]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys [?]
.
.
------- Supplementary Scan -------
.
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.56.215.55,202.56.215.54
FF - ProfilePath - c:\documents and settings\Deepak\Application Data\Mozilla\Firefox\Profiles\mj97nr66.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 11:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-19 11:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 06:10
ComboFix2.txt 2009-07-16 19:19

Pre-Run: 37,369,786,368 bytes free
Post-Run: 37,300,879,360 bytes free

131


AVPT Log

Scan
----
Scanned: 238639
Detected: 0
Untreated: 0
Start time: 7/19/2009 11:44:49 AM
Duration: 00:45:05
Finish time: 7/19/2009 12:29:54 PM


Detected
--------
Status Object
------ ------


Events
------
Time Name Status Reason
---- ---- ------ ------
7/19/2009 11:44:55 AM Running module: smss.exe\smss.exe ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search No
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

DDS Log


DDS (Ver_09-06-26.01) - NTFSx86
Run by Deepak at 12:55:40.53 on Sun 07/19/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1672 [GMT 5.5:30]

AV: avast! antivirus 4.8.1335 [VPS 090719-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\Documents and Settings\Deepak\Desktop\dds.pif

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\24onli~1.lnk - c:\program files\elitecore\cyberoam client for 24online\CyberoamClient.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.88.149.25,202.88.149.6
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deepak\applic~1\mozilla\firefox\profiles\mj97nr66.default\

============= SERVICES / DRIVERS ===============

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-5-27 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-12 138680]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\deepak\locals~1\temp\alsysio.sys --> c:\docume~1\deepak\locals~1\temp\ALSysIO.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-12 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-12 352920]

=============== Created Last 30 ================

2009-07-19 11:44 442,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-19 11:44 6,260 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-17 00:49 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-17 00:47 <DIR> a-dshr-- C:\cmdcons
2009-07-17 00:40 219,648 a------- c:\windows\PEV.exe
2009-07-17 00:40 161,792 a------- c:\windows\SWREG.exe
2009-07-17 00:40 98,816 a------- c:\windows\sed.exe
2009-07-16 22:05 <DIR> --d----- c:\program files\Yahoo!
2009-07-14 02:37 <DIR> --d----- c:\program files\Trend Micro
2009-07-12 15:22 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-12 15:22 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-12 15:22 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-12 01:20 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-12 01:19 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-07-12 01:19 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-07-12 01:19 74,240 ac------ c:\windows\system32\dllcache\usbui.dll
2009-07-12 01:19 74,240 a------- c:\windows\system32\usbui.dll
2009-07-12 01:18 9,344 a------- c:\windows\system32\drivers\compbatt.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\battc.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\CmBatt.sys
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\ODBC
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-12 01:17 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-07-12 01:16 <DIR> --d----- C:\Documents and Settings
2009-07-12 01:15 261 a------- c:\windows\system32\$winnt$.inf
2009-07-12 01:12 <DIR> --d----- c:\program files\RomanWare
2009-07-12 00:56 <DIR> --d----- c:\program files\AVG
2009-07-11 23:22 <DIR> --ds---- c:\documents and settings\deepak\UserData
2009-07-11 23:19 <DIR> --d----- c:\program files\Synaptics
2009-07-11 23:09 <DIR> --d----- c:\program files\PaqTool
2009-07-11 23:05 <DIR> --d----- c:\program files\eLitecore
2009-07-11 22:58 <DIR> --d----- c:\docume~1\deepak\applic~1\Intel
2009-07-11 19:58 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-11 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-11 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-11 19:55 <DIR> --d----- c:\program files\Online Services
2009-07-11 19:55 <DIR> --d----- c:\program files\Messenger
2009-07-11 19:55 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-11 19:54 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-12 20:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-11 23:09 4,100 a------- c:\windows\system32\hdvirffo.dll
2009-07-11 22:57 356,352 a------- c:\windows\system32\AegisI5Installer.exe
2009-07-11 22:57 21,393 a------- c:\windows\system32\drivers\AegisP.sys
2009-07-11 22:57 21,393 a------- c:\windows\AegisP.sys
2009-07-11 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 12:55:50.45 ===============

Blade81
2009-07-19, 11:39
Hi,


Now my Avast antivirus is detecting Win32:confi[wrm]
In which location was the infection detected?

deepak4490
2009-07-19, 13:41
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\63QL4VK9\hial[1].png

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8XGZO12R\sjra[1].png

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CTCJQRMD\dxafa[1].gif

Sometime it detects it under windows/system/x

Avast detects the virus but when i delete them or move them to vault and scan the system again, it detects again.

Blade81
2009-07-19, 15:00
Hi,

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh dds.txt log in your next reply.

deepak4490
2009-07-19, 22:51
Nothing has been detected by malwarebytes. Given below is the log.

Malwarebytes' Anti-Malware 1.39
Database version: 2464
Windows 5.1.2600 Service Pack 2

7/20/2009 1:17:37 AM
mbam-log-2009-07-20 (01-17-37).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 99262
Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS Log File


DDS (Ver_09-06-26.01) - NTFSx86
Run by Deepak at 1:21:24.15 on Mon 07/20/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1531 [GMT 5.5:30]

AV: avast! antivirus 4.8.1335 [VPS 090719-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Deepak\Desktop\dds.pif

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\24onli~1.lnk - c:\program files\elitecore\cyberoam client for 24online\CyberoamClient.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.88.149.25,202.88.149.6
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deepak\applic~1\mozilla\firefox\profiles\mj97nr66.default\

============= SERVICES / DRIVERS ===============

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-5-27 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-12 138680]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\deepak\locals~1\temp\alsysio.sys --> c:\docume~1\deepak\locals~1\temp\ALSysIO.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-12 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-12 352920]

=============== Created Last 30 ================

2009-07-20 01:02 <DIR> --d----- c:\docume~1\deepak\applic~1\Malwarebytes
2009-07-20 00:42 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-20 00:42 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-20 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-20 00:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-20 00:28 164,746 a------- c:\windows\system32\x
2009-07-19 11:44 442,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-19 11:44 6,260 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-17 00:49 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-17 00:47 <DIR> a-dshr-- C:\cmdcons
2009-07-17 00:40 219,648 a------- c:\windows\PEV.exe
2009-07-17 00:40 161,792 a------- c:\windows\SWREG.exe
2009-07-17 00:40 98,816 a------- c:\windows\sed.exe
2009-07-16 22:05 <DIR> --d----- c:\program files\Yahoo!
2009-07-14 02:37 <DIR> --d----- c:\program files\Trend Micro
2009-07-12 15:22 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-12 15:22 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-12 15:22 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-12 01:20 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-12 01:19 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-07-12 01:19 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-07-12 01:19 74,240 ac------ c:\windows\system32\dllcache\usbui.dll
2009-07-12 01:19 74,240 a------- c:\windows\system32\usbui.dll
2009-07-12 01:18 9,344 a------- c:\windows\system32\drivers\compbatt.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\battc.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\CmBatt.sys
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\ODBC
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-12 01:17 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-07-12 01:16 <DIR> --d----- C:\Documents and Settings
2009-07-12 01:15 261 a------- c:\windows\system32\$winnt$.inf
2009-07-12 01:12 <DIR> --d----- c:\program files\RomanWare
2009-07-12 00:56 <DIR> --d----- c:\program files\AVG
2009-07-11 23:22 <DIR> --ds---- c:\documents and settings\deepak\UserData
2009-07-11 23:19 <DIR> --d----- c:\program files\Synaptics
2009-07-11 23:09 <DIR> --d----- c:\program files\PaqTool
2009-07-11 23:05 <DIR> --d----- c:\program files\eLitecore
2009-07-11 22:58 <DIR> --d----- c:\docume~1\deepak\applic~1\Intel
2009-07-11 19:58 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-11 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-11 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-11 19:55 <DIR> --d----- c:\program files\Online Services
2009-07-11 19:55 <DIR> --d----- c:\program files\Messenger
2009-07-11 19:55 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-11 19:54 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-12 20:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-11 23:09 4,100 a------- c:\windows\system32\hdvirffo.dll
2009-07-11 22:57 356,352 a------- c:\windows\system32\AegisI5Installer.exe
2009-07-11 22:57 21,393 a------- c:\windows\system32\drivers\AegisP.sys
2009-07-11 22:57 21,393 a------- c:\windows\AegisP.sys
2009-07-11 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 1:21:33.40 ===============

Blade81
2009-07-20, 10:05
Hi,

Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\windows\system32\x

Reboot::



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh dds.txt log. Run Avast to see if anything is still found.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

deepak4490
2009-07-20, 10:41
Bro i did the same but Avast is still detecting Win32:confi[wrm]

Combofix Log

ComboFix 09-07-14.08 - Deepak 07/20/2009 12:41.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1674 [GMT 5.5:30]
Running from: c:\documents and settings\Deepak\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Deepak\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090719-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\x"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\x

.
((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.

2009-07-19 19:32 . 2009-07-19 19:32 -------- d-----w- c:\documents and settings\Deepak\Application Data\Malwarebytes
2009-07-19 19:12 . 2009-07-13 08:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 19:12 . 2009-07-19 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-19 19:12 . 2009-07-13 08:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 19:12 . 2009-07-19 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 13:19 . 2009-07-19 13:19 -------- d-----w- c:\documents and settings\Deepak\Application Data\DivX
2009-07-19 06:14 . 2009-07-19 07:01 442400 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-16 16:38 . 2009-07-16 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-16 16:35 . 2009-07-16 16:36 -------- d-----w- c:\program files\Yahoo!
2009-07-13 21:07 . 2009-07-13 21:07 -------- d-----w- c:\program files\Trend Micro
2009-07-12 12:59 . 2009-07-12 12:59 1078 ----a-r- c:\documents and settings\Deepak\Application Data\Microsoft\Installer\{30BA50ED-0F32-421B-BC6A-132A03EFF299}\ARPPRODUCTICON.exe
2009-07-12 10:08 . 2009-07-12 10:08 12328 ----a-w- c:\documents and settings\Deepak\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 09:53 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-12 09:53 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-12 09:53 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-12 09:52 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-12 09:52 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-12 09:52 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-12 09:52 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-12 09:52 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-12 09:52 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-12 09:52 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-12 09:52 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-12 09:52 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-12 09:52 . 2009-07-12 09:52 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 07:01 . 2009-07-19 06:14 6260 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-12 15:24 . 2009-07-11 14:28 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-11 19:42 . 2009-07-11 19:42 -------- d-----w- c:\program files\RomanWare
2009-07-11 19:28 . 2009-07-11 19:28 0 ----a-w- c:\windows\nsreg.dat
2009-07-11 19:26 . 2009-07-11 19:26 -------- d-----w- c:\program files\AVG
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Synaptics
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-11 17:39 . 2009-07-11 17:39 4100 ----a-w- c:\windows\system32\hdvirffo.dll
2009-07-11 17:39 . 2009-07-11 17:39 -------- d-----w- c:\program files\PaqTool
2009-07-11 17:35 . 2009-07-11 17:35 -------- d-----w- c:\program files\eLitecore
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Deepak\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:27 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:20 -------- d-----w- c:\program files\Intel
2009-07-11 14:29 . 2009-07-11 14:29 -------- d-----w- c:\program files\microsoft frontpage
2009-07-11 14:25 . 2009-07-11 14:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-15 12:14 . 2009-07-11 19:28 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-16_19.19.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-20 07:14 . 2009-07-20 07:14 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
+ 2009-07-19 18:56 . 2009-07-19 18:56 16384 c:\windows\Temp\Perflib_Perfdata_6cc.dat
- 2009-07-13 06:05 . 2009-07-13 06:05 16384 c:\windows\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-10 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-10 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
24Online Client.lnk - c:\program files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2004-5-31 249856]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [5/27/2004 6:51 PM 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/12/2009 3:22 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/12/2009 3:22 PM 20560]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys [?]
.
.
------- Supplementary Scan -------
.
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.88.149.25,202.88.149.6
FF - ProfilePath - c:\documents and settings\Deepak\Application Data\Mozilla\Firefox\Profiles\mj97nr66.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 12:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-20 12:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-20 07:15
ComboFix2.txt 2009-07-19 06:10
ComboFix3.txt 2009-07-16 19:19

Pre-Run: 37,201,354,752 bytes free
Post-Run: 37,168,508,928 bytes free

133


DDS Log


DDS (Ver_09-06-26.01) - NTFSx86
Run by Deepak at 12:46:02.42 on Mon 07/20/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1635 [GMT 5.5:30]

AV: avast! antivirus 4.8.1335 [VPS 090719-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Deepak\Desktop\dds.pif

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\24onli~1.lnk - c:\program files\elitecore\cyberoam client for 24online\CyberoamClient.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.88.149.25,202.88.149.6
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deepak\applic~1\mozilla\firefox\profiles\mj97nr66.default\

============= SERVICES / DRIVERS ===============

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-5-27 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-12 138680]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\deepak\locals~1\temp\alsysio.sys --> c:\docume~1\deepak\locals~1\temp\ALSysIO.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-12 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-12 352920]

=============== Created Last 30 ================

2009-07-20 01:02 <DIR> --d----- c:\docume~1\deepak\applic~1\Malwarebytes
2009-07-20 00:42 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-20 00:42 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-20 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-20 00:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 11:44 442,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-19 11:44 6,260 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-17 00:49 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-17 00:47 <DIR> a-dshr-- C:\cmdcons
2009-07-17 00:40 219,648 a------- c:\windows\PEV.exe
2009-07-17 00:40 161,792 a------- c:\windows\SWREG.exe
2009-07-17 00:40 98,816 a------- c:\windows\sed.exe
2009-07-16 22:05 <DIR> --d----- c:\program files\Yahoo!
2009-07-14 02:37 <DIR> --d----- c:\program files\Trend Micro
2009-07-12 15:22 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-12 15:22 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-12 15:22 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-12 01:20 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-12 01:19 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-07-12 01:19 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-07-12 01:19 74,240 ac------ c:\windows\system32\dllcache\usbui.dll
2009-07-12 01:19 74,240 a------- c:\windows\system32\usbui.dll
2009-07-12 01:18 9,344 a------- c:\windows\system32\drivers\compbatt.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\battc.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\CmBatt.sys
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\ODBC
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-12 01:17 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-07-12 01:16 <DIR> --d----- C:\Documents and Settings
2009-07-12 01:15 261 a------- c:\windows\system32\$winnt$.inf
2009-07-12 01:12 <DIR> --d----- c:\program files\RomanWare
2009-07-12 00:56 <DIR> --d----- c:\program files\AVG
2009-07-11 23:22 <DIR> --ds---- c:\documents and settings\deepak\UserData
2009-07-11 23:19 <DIR> --d----- c:\program files\Synaptics
2009-07-11 23:09 <DIR> --d----- c:\program files\PaqTool
2009-07-11 23:05 <DIR> --d----- c:\program files\eLitecore
2009-07-11 22:58 <DIR> --d----- c:\docume~1\deepak\applic~1\Intel
2009-07-11 19:58 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-11 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-11 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-11 19:55 <DIR> --d----- c:\program files\Online Services
2009-07-11 19:55 <DIR> --d----- c:\program files\Messenger
2009-07-11 19:55 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-11 19:54 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-12 20:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-11 23:09 4,100 a------- c:\windows\system32\hdvirffo.dll
2009-07-11 22:57 356,352 a------- c:\windows\system32\AegisI5Installer.exe
2009-07-11 22:57 21,393 a------- c:\windows\system32\drivers\AegisP.sys
2009-07-11 22:57 21,393 a------- c:\windows\AegisP.sys
2009-07-11 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 12:46:09.51 ===============

Blade81
2009-07-20, 12:54
Hi,

Do you have firewall enabled? I didn't see any 3rd party solution installed so make sure Windows internal firewall is enabled in security center in control panel.

Delete c:\windows\system32\hdvirffo.dll file.

Reboot and run Avast again. Post back its results and a fresh dds.txt log.

deepak4490
2009-07-20, 16:37
I did it, deleted that file and done full scan after restart Avast detected Win32:confi[worm] in c:/windows/system32/x.vir


DDS Log


DDS (Ver_09-06-26.01) - NTFSx86
Run by Deepak at 19:07:08.98 on Mon 07/20/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1589 [GMT 5.5:30]

AV: avast! antivirus 4.8.1335 [VPS 090719-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Deepak\Desktop\dds.pif

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\24onli~1.lnk - c:\program files\elitecore\cyberoam client for 24online\CyberoamClient.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.88.149.25,202.88.149.6
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deepak\applic~1\mozilla\firefox\profiles\mj97nr66.default\

============= SERVICES / DRIVERS ===============

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-5-27 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-12 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-12 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-12 352920]
S2 cfngiz;Center Time;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\deepak\locals~1\temp\alsysio.sys --> c:\docume~1\deepak\locals~1\temp\ALSysIO.sys [?]

=============== Created Last 30 ================

2009-07-20 01:02 <DIR> --d----- c:\docume~1\deepak\applic~1\Malwarebytes
2009-07-20 00:42 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-20 00:42 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-20 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-20 00:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 11:44 442,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-19 11:44 6,260 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-17 00:49 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-17 00:47 <DIR> a-dshr-- C:\cmdcons
2009-07-17 00:40 219,648 a------- c:\windows\PEV.exe
2009-07-17 00:40 161,792 a------- c:\windows\SWREG.exe
2009-07-17 00:40 98,816 a------- c:\windows\sed.exe
2009-07-16 22:05 <DIR> --d----- c:\program files\Yahoo!
2009-07-14 02:37 <DIR> --d----- c:\program files\Trend Micro
2009-07-12 15:22 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-12 15:22 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-12 15:22 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-12 01:20 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-12 01:19 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-07-12 01:19 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-07-12 01:19 74,240 ac------ c:\windows\system32\dllcache\usbui.dll
2009-07-12 01:19 74,240 a------- c:\windows\system32\usbui.dll
2009-07-12 01:18 9,344 a------- c:\windows\system32\drivers\compbatt.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\battc.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\CmBatt.sys
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\ODBC
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-12 01:17 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-07-12 01:16 <DIR> --d----- C:\Documents and Settings
2009-07-12 01:15 261 a------- c:\windows\system32\$winnt$.inf
2009-07-12 01:12 <DIR> --d----- c:\program files\RomanWare
2009-07-12 00:56 <DIR> --d----- c:\program files\AVG
2009-07-11 23:22 <DIR> --ds---- c:\documents and settings\deepak\UserData
2009-07-11 23:19 <DIR> --d----- c:\program files\Synaptics
2009-07-11 23:09 <DIR> --d----- c:\program files\PaqTool
2009-07-11 23:05 <DIR> --d----- c:\program files\eLitecore
2009-07-11 22:58 <DIR> --d----- c:\docume~1\deepak\applic~1\Intel
2009-07-11 19:58 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-11 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-11 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-11 19:55 <DIR> --d----- c:\program files\Online Services
2009-07-11 19:55 <DIR> --d----- c:\program files\Messenger
2009-07-11 19:55 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-11 19:54 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-12 20:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-11 22:57 356,352 a------- c:\windows\system32\AegisI5Installer.exe
2009-07-11 22:57 21,393 a------- c:\windows\system32\drivers\AegisP.sys
2009-07-11 22:57 21,393 a------- c:\windows\AegisP.sys
2009-07-11 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat
2004-08-04 06:26 164,746 a--shr-- c:\windows\system32\oauhyn.dll

============= FINISH: 19:07:20.14 ===============

Blade81
2009-07-20, 20:59
Hi,

Is that system part of network? If it is, you have to separate it from other systems. Also, you should keep it disconnected from the internet as much as possible.

Have you used external drives, like usb pendrives with the system lately?

You have to download and install both MS08-067 (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx) and MS08-068 (http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspx) patches. Both of those have been out for months now. It's sometimes difficult for me to understand why people can't keep their system up-to-date.

Also, I still ask: do you have firewall enabled?


Run ComboFix again and post back its report & fresh dds log.

deepak4490
2009-07-22, 13:22
When am installing these patches, am getting following error.
update/update.exe is not a valid win32 application.

Blade81
2009-07-22, 23:38
Keep those patches ready so that you can install them after system is clean.

Please answer my questions in previous post and provide the logs requested there.

deepak4490
2009-07-23, 21:21
As mentioned in your last post i did install these patches and now when i run Avast, am not getting any Virus message.
Yes i use pen drive between my PC and my Laptop, how to check if my pendrive is still infected. I dont wanna plug it without your permission coz now my laptop seems to be virus free.

Combofix Log

ComboFix 09-07-23.01 - Deepak 07/23/2009 23:43.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1575 [GMT 5.5:30]
Running from: c:\documents and settings\Deepak\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090722-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-22 10:26 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-22 10:24 . 2009-07-22 10:26 -------- d--h--w- c:\windows\$hf_mig$
2009-07-19 19:32 . 2009-07-19 19:32 -------- d-----w- c:\documents and settings\Deepak\Application Data\Malwarebytes
2009-07-19 19:12 . 2009-07-13 08:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 19:12 . 2009-07-19 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-19 19:12 . 2009-07-13 08:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 19:12 . 2009-07-19 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 13:19 . 2009-07-19 13:19 -------- d-----w- c:\documents and settings\Deepak\Application Data\DivX
2009-07-19 06:14 . 2009-07-19 07:01 442400 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-16 16:38 . 2009-07-16 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-16 16:35 . 2009-07-16 16:36 -------- d-----w- c:\program files\Yahoo!
2009-07-13 21:07 . 2009-07-13 21:07 -------- d-----w- c:\program files\Trend Micro
2009-07-12 12:59 . 2009-07-12 12:59 1078 ----a-r- c:\documents and settings\Deepak\Application Data\Microsoft\Installer\{30BA50ED-0F32-421B-BC6A-132A03EFF299}\ARPPRODUCTICON.exe
2009-07-12 10:08 . 2009-07-12 10:08 12328 ----a-w- c:\documents and settings\Deepak\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 09:53 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-12 09:53 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-12 09:53 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-12 09:52 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-12 09:52 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-12 09:52 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-12 09:52 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-12 09:52 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-12 09:52 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-12 09:52 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-12 09:52 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-12 09:52 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-12 09:52 . 2009-07-12 09:52 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 07:01 . 2009-07-19 06:14 6260 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-12 15:24 . 2009-07-11 14:28 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-11 19:42 . 2009-07-11 19:42 -------- d-----w- c:\program files\RomanWare
2009-07-11 19:28 . 2009-07-11 19:28 0 ----a-w- c:\windows\nsreg.dat
2009-07-11 19:26 . 2009-07-11 19:26 -------- d-----w- c:\program files\AVG
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Synaptics
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-11 17:39 . 2009-07-11 17:39 -------- d-----w- c:\program files\PaqTool
2009-07-11 17:35 . 2009-07-11 17:35 -------- d-----w- c:\program files\eLitecore
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Deepak\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:27 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:20 -------- d-----w- c:\program files\Intel
2009-07-11 14:29 . 2009-07-11 14:29 -------- d-----w- c:\program files\microsoft frontpage
2009-07-11 14:25 . 2009-07-11 14:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-15 12:14 . 2009-07-11 19:28 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-16_19.19.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-20 12:38 . 2009-07-20 12:38 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
+ 2009-07-22 10:24 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2009-07-22 18:11 . 2009-07-22 18:11 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2004-08-04 00:56 . 2008-10-15 16:57 332800 c:\windows\system32\netapi32.dll
+ 2009-02-03 02:15 . 2009-02-03 02:15 240544 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2004-08-03 23:15 . 2008-10-24 11:10 453632 c:\windows\system32\drivers\mrxsmb.sys
+ 2004-08-04 00:56 . 2008-10-15 16:57 332800 c:\windows\system32\dllcache\netapi32.dll
+ 2009-07-22 10:26 . 2008-10-24 11:10 453632 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-02-03 02:15 . 2009-02-03 02:15 3771296 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-10 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-10 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
24Online Client.lnk - c:\program files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2004-5-31 249856]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2652:TCP"= 2652:TCP:exsjt

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [5/27/2004 6:51 PM 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/12/2009 3:22 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/12/2009 3:22 PM 20560]
S2 cfngiz;Center Time;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:26 AM 14336]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
cfngiz
.
.
------- Supplementary Scan -------
.
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.56.215.55,202.56.215.54
FF - ProfilePath - c:\documents and settings\Deepak\Application Data\Mozilla\Firefox\Profiles\mj97nr66.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 23:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\cfngiz]
"ServiceDll"="c:\windows\system32\oauhyn.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\browselc.dll
.
Completion time: 2009-07-23 23:45
ComboFix-quarantined-files.txt 2009-07-23 18:15
ComboFix2.txt 2009-07-20 07:15
ComboFix3.txt 2009-07-19 06:10
ComboFix4.txt 2009-07-16 19:19

Pre-Run: 37,381,496,832 bytes free
Post-Run: 37,349,994,496 bytes free

134


DDS Log


DDS (Ver_09-06-26.01) - NTFSx86
Run by Deepak at 23:45:52.17 on Thu 07/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1601 [GMT 5.5:30]

AV: avast! antivirus 4.8.1335 [VPS 090722-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Deepak\Desktop\dds.pif

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\24onli~1.lnk - c:\program files\elitecore\cyberoam client for 24online\CyberoamClient.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.56.215.55,202.56.215.54
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deepak\applic~1\mozilla\firefox\profiles\mj97nr66.default\

============= SERVICES / DRIVERS ===============

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-5-27 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-12 138680]
S2 cfngiz;Center Time;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\deepak\locals~1\temp\alsysio.sys --> c:\docume~1\deepak\locals~1\temp\ALSysIO.sys [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-12 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-12 352920]

=============== Created Last 30 ================

2009-07-23 23:42 <DIR> --ds---- C:\ComboFix
2009-07-22 15:56 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-22 15:54 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-20 01:02 <DIR> --d----- c:\docume~1\deepak\applic~1\Malwarebytes
2009-07-20 00:42 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-20 00:42 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-20 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-20 00:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 11:44 442,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-19 11:44 6,260 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-17 00:49 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-17 00:47 <DIR> a-dshr-- C:\cmdcons
2009-07-17 00:40 219,648 a------- c:\windows\PEV.exe
2009-07-17 00:40 161,792 a------- c:\windows\SWREG.exe
2009-07-17 00:40 98,816 a------- c:\windows\sed.exe
2009-07-16 22:05 <DIR> --d----- c:\program files\Yahoo!
2009-07-14 02:37 <DIR> --d----- c:\program files\Trend Micro
2009-07-12 15:22 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-12 15:22 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-12 15:22 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-12 01:20 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-12 01:19 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-07-12 01:19 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-07-12 01:19 74,240 ac------ c:\windows\system32\dllcache\usbui.dll
2009-07-12 01:19 74,240 a------- c:\windows\system32\usbui.dll
2009-07-12 01:18 9,344 a------- c:\windows\system32\drivers\compbatt.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\battc.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\CmBatt.sys
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\ODBC
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-12 01:17 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-07-12 01:16 <DIR> --d----- C:\Documents and Settings
2009-07-12 01:15 261 a------- c:\windows\system32\$winnt$.inf
2009-07-12 01:12 <DIR> --d----- c:\program files\RomanWare
2009-07-12 00:56 <DIR> --d----- c:\program files\AVG
2009-07-11 23:22 <DIR> --ds---- c:\documents and settings\deepak\UserData
2009-07-11 23:19 <DIR> --d----- c:\program files\Synaptics
2009-07-11 23:09 <DIR> --d----- c:\program files\PaqTool
2009-07-11 23:05 <DIR> --d----- c:\program files\eLitecore
2009-07-11 22:58 <DIR> --d----- c:\docume~1\deepak\applic~1\Intel
2009-07-11 19:58 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-11 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-11 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-11 19:55 <DIR> --d----- c:\program files\Online Services
2009-07-11 19:55 <DIR> --d----- c:\program files\Messenger
2009-07-11 19:55 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-11 19:54 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-12 20:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-11 22:57 356,352 a------- c:\windows\system32\AegisI5Installer.exe
2009-07-11 22:57 21,393 a------- c:\windows\system32\drivers\AegisP.sys
2009-07-11 22:57 21,393 a------- c:\windows\AegisP.sys
2009-07-11 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:45:58.81 ===============

Blade81
2009-07-24, 00:07
Hi,

Insert pendrive into this system we're cleaning so that the drive will be cleaned too.

Open notepad and copy/paste the text in the quotebox below into it:



Driver::
cfngiz

NetSvc::
cfngiz

File::
c:\windows\system32\oauhyn.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2652:TCP"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh dds.txt log. Scan the pendrive with Avast and let me know if anything was found.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

deepak4490
2009-07-26, 20:20
I just did this procedure and after that i scanned my pendrive with Avast and it detected Win32:confi[wrm] at G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx

i just deleted it and removed the pendrive immediately, might be the pendrive is still infected and it will infect my laptop too, waiting for your help.

Combofix log

ComboFix 09-07-25.06 - Deepak 07/26/2009 22:37.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1646 [GMT 5.5:30]
Running from: c:\documents and settings\Deepak\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Deepak\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090725-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\oauhyn.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CFNGIZ
-------\Service_cfngiz


((((((((((((((((((((((((( Files Created from 2009-06-26 to 2009-07-26 )))))))))))))))))))))))))))))))
.

2009-07-25 14:42 . 2009-07-25 14:42 -------- d-----w- c:\documents and settings\Deepak\Local Settings\Application Data\Stardock
2009-07-24 09:23 . 2009-07-24 09:23 -------- d-----w- C:\vghd
2009-07-22 10:26 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-22 10:24 . 2009-07-22 10:26 -------- d--h--w- c:\windows\$hf_mig$
2009-07-19 19:32 . 2009-07-19 19:32 -------- d-----w- c:\documents and settings\Deepak\Application Data\Malwarebytes
2009-07-19 19:12 . 2009-07-13 08:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 19:12 . 2009-07-19 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-19 19:12 . 2009-07-13 08:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-19 19:12 . 2009-07-19 19:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 13:19 . 2009-07-19 13:19 -------- d-----w- c:\documents and settings\Deepak\Application Data\DivX
2009-07-19 06:14 . 2009-07-19 07:01 442400 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-16 16:38 . 2009-07-16 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-07-16 16:35 . 2009-07-16 16:36 -------- d-----w- c:\program files\Yahoo!
2009-07-13 21:07 . 2009-07-13 21:07 -------- d-----w- c:\program files\Trend Micro
2009-07-12 12:59 . 2009-07-12 12:59 1078 ----a-r- c:\documents and settings\Deepak\Application Data\Microsoft\Installer\{30BA50ED-0F32-421B-BC6A-132A03EFF299}\ARPPRODUCTICON.exe
2009-07-12 10:08 . 2009-07-12 10:08 12328 ----a-w- c:\documents and settings\Deepak\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-12 09:53 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-12 09:53 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-12 09:53 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-12 09:52 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-12 09:52 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-12 09:52 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-12 09:52 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-12 09:52 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-12 09:52 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-12 09:52 . 2003-03-18 20:20 1060864 ----a-w- c:\windows\system32\MFC71.dll
2009-07-12 09:52 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-07-12 09:52 . 2003-02-21 03:42 348160 ----a-w- c:\windows\system32\MSVCR71.dll
2009-07-12 09:52 . 2009-07-12 09:52 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 07:01 . 2009-07-19 06:14 6260 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-12 15:24 . 2009-07-11 14:28 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-07-11 19:42 . 2009-07-11 19:42 -------- d-----w- c:\program files\RomanWare
2009-07-11 19:28 . 2009-07-11 19:28 0 ----a-w- c:\windows\nsreg.dat
2009-07-11 19:26 . 2009-07-11 19:26 -------- d-----w- c:\program files\AVG
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Synaptics
2009-07-11 17:49 . 2009-07-11 17:49 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-11 17:39 . 2009-07-11 17:39 -------- d-----w- c:\program files\PaqTool
2009-07-11 17:35 . 2009-07-11 17:35 -------- d-----w- c:\program files\eLitecore
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-07-11 17:28 . 2009-07-11 17:28 -------- d-----w- c:\documents and settings\Deepak\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:27 356352 ----a-w- c:\windows\system32\AegisI5Installer.exe
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 21393 ----a-w- c:\windows\AegisP.sys
2009-07-11 17:27 . 2009-07-11 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-07-11 17:27 . 2009-07-11 17:20 -------- d-----w- c:\program files\Intel
2009-07-11 14:29 . 2009-07-11 14:29 -------- d-----w- c:\program files\microsoft frontpage
2009-07-11 14:25 . 2009-07-11 14:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-23 20:02 . 2009-07-11 19:28 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-16_19.19.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-26 17:10 . 2009-07-26 17:10 16384 c:\windows\Temp\Perflib_Perfdata_6d4.dat
+ 2009-07-20 12:38 . 2009-07-20 12:38 16384 c:\windows\Temp\Perflib_Perfdata_6d0.dat
+ 2009-07-22 10:24 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2009-07-22 18:11 . 2009-07-22 18:11 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-25 19:43 . 2008-03-19 05:38 36352 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Clock\SDPlugins\SDAnalogClock3.dll
+ 2004-08-04 00:56 . 2008-10-15 16:57 332800 c:\windows\system32\netapi32.dll
+ 2009-02-03 02:15 . 2009-02-03 02:15 240544 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2004-08-03 23:15 . 2008-10-24 11:10 453632 c:\windows\system32\drivers\mrxsmb.sys
+ 2004-08-04 00:56 . 2008-10-15 16:57 332800 c:\windows\system32\dllcache\netapi32.dll
+ 2009-07-25 19:43 . 2008-02-14 10:00 439544 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Weather\SDPlugins\DXAxHost.dll
+ 2009-07-25 19:43 . 2008-03-20 06:18 740088 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Weather\Mustang Weather.exe
+ 2009-07-25 19:43 . 2008-02-14 10:00 421624 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Media Player\SDPlugins\DXPlayer.dll
+ 2009-07-25 19:43 . 2008-02-14 10:00 439544 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Media Player\SDPlugins\DXAxHost.dll
+ 2009-07-25 19:43 . 2008-03-19 05:42 746232 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Media Player\Mustang Media Player.exe
+ 2009-07-25 19:43 . 2008-02-14 10:00 439544 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Clock\SDPlugins\DXAxHost.dll
+ 2009-07-25 19:43 . 2008-03-19 05:40 767736 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Clock\Mustang Clock.exe
+ 2009-07-25 19:43 . 2008-02-14 10:00 439544 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Calendar\SDPlugins\DXAxHost.dll
+ 2009-07-25 19:43 . 2008-03-19 05:40 730872 c:\windows\Resources\Themes\Mustang\Gadgets\Mustang Calendar\Mustang Calendar.exe
+ 2009-07-22 10:26 . 2008-10-24 11:10 453632 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-02-03 02:15 . 2009-02-03 02:15 3771296 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-10 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-10 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-10 137752]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
24Online Client.lnk - c:\program files\eLitecore\Cyberoam Client for 24Online\CyberoamClient.exe [2004-5-31 249856]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [5/27/2004 6:51 PM 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/12/2009 3:22 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/12/2009 3:22 PM 20560]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Deepak\LOCALS~1\Temp\ALSysIO.sys [?]
.
.
------- Supplementary Scan -------
.
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.56.215.55,202.56.215.54
FF - ProfilePath - c:\documents and settings\Deepak\Application Data\Mozilla\Firefox\Profiles\mj97nr66.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-26 22:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\igfxsrvc.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-26 22:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-26 17:11
ComboFix2.txt 2009-07-23 18:15
ComboFix3.txt 2009-07-20 07:15
ComboFix4.txt 2009-07-19 06:10
ComboFix5.txt 2009-07-26 17:02

Pre-Run: 34,767,880,192 bytes free
Post-Run: 34,729,488,384 bytes free

161

DDS Log


DDS (Ver_09-06-26.01) - NTFSx86
Run by Deepak at 22:44:05.26 on Sun 07/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1647 [GMT 5.5:30]

AV: avast! antivirus 4.8.1335 [VPS 090725-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Deepak\Desktop\dds.pif

============== Pseudo HJT Report ===============

mURLSearchHooks: H - No File
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\24onli~1.lnk - c:\program files\elitecore\cyberoam client for 24online\CyberoamClient.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {F294541A-6EC8-4BEA-B87A-373231CFEAA6} = 202.56.215.55,202.56.215.54
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deepak\applic~1\mozilla\firefox\profiles\mj97nr66.default\

============= SERVICES / DRIVERS ===============

R0 ENO;ENO;c:\windows\system32\drivers\ENO.sys [2004-5-27 51564]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-12 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-12 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-7-12 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-12 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-7-12 352920]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\deepak\locals~1\temp\alsysio.sys --> c:\docume~1\deepak\locals~1\temp\ALSysIO.sys [?]

=============== Created Last 30 ================

2009-07-24 14:53 <DIR> --d----- C:\vghd
2009-07-22 15:56 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-22 15:54 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-20 01:02 <DIR> --d----- c:\docume~1\deepak\applic~1\Malwarebytes
2009-07-20 00:42 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-20 00:42 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-20 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-20 00:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-19 11:44 442,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-19 11:44 6,260 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-17 00:49 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-17 00:47 <DIR> a-dshr-- C:\cmdcons
2009-07-17 00:40 219,648 a------- c:\windows\PEV.exe
2009-07-17 00:40 161,792 a------- c:\windows\SWREG.exe
2009-07-17 00:40 98,816 a------- c:\windows\sed.exe
2009-07-16 22:05 <DIR> --d----- c:\program files\Yahoo!
2009-07-14 02:37 <DIR> --d----- c:\program files\Trend Micro
2009-07-12 15:22 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-07-12 15:22 499,712 a------- c:\windows\system32\MSVCP71.dll
2009-07-12 15:22 348,160 a------- c:\windows\system32\MSVCR71.dll
2009-07-12 01:20 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-07-12 01:19 57,472 a------- c:\windows\system32\drivers\redbook.sys
2009-07-12 01:19 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-07-12 01:19 74,240 ac------ c:\windows\system32\dllcache\usbui.dll
2009-07-12 01:19 74,240 a------- c:\windows\system32\usbui.dll
2009-07-12 01:18 9,344 a------- c:\windows\system32\drivers\compbatt.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\battc.sys
2009-07-12 01:18 14,080 a------- c:\windows\system32\drivers\CmBatt.sys
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\ODBC
2009-07-12 01:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-12 01:17 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-07-12 01:16 <DIR> --d----- C:\Documents and Settings
2009-07-12 01:15 261 a------- c:\windows\system32\$winnt$.inf
2009-07-12 01:12 <DIR> --d----- c:\program files\RomanWare
2009-07-12 00:56 <DIR> --d----- c:\program files\AVG
2009-07-11 23:22 <DIR> --ds---- c:\documents and settings\deepak\UserData
2009-07-11 23:19 <DIR> --d----- c:\program files\Synaptics
2009-07-11 23:09 <DIR> --d----- c:\program files\PaqTool
2009-07-11 23:05 <DIR> --d----- c:\program files\eLitecore
2009-07-11 22:58 <DIR> --d----- c:\docume~1\deepak\applic~1\Intel
2009-07-11 19:58 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-11 19:57 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-11 19:56 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-11 19:55 <DIR> --d----- c:\program files\Online Services
2009-07-11 19:55 <DIR> --d----- c:\program files\Messenger
2009-07-11 19:55 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-11 19:54 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-12 20:54 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-11 22:57 356,352 a------- c:\windows\system32\AegisI5Installer.exe
2009-07-11 22:57 21,393 a------- c:\windows\system32\drivers\AegisP.sys
2009-07-11 22:57 21,393 a------- c:\windows\AegisP.sys
2009-07-11 19:55 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 22:44:13.45 ===============

Blade81
2009-07-27, 00:29
I just did this procedure and after that i scanned my pendrive with Avast and it detected Win32:confi[wrm] at G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
Hi,

I told you this in my previous post: "Insert pendrive into this system we're cleaning so that the drive will be cleaned too." So, please have it attached in this system and run Kaspersky scanner against it. Does Avast still detect anything bad on it?

Blade81
2009-08-04, 17:59
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.